Kelp Exploit Drains $292 Million, Triggering Liquidity Crisis at Aave

A sophisticated exploit targeting the Kelp protocol has resulted in a loss of approximately $292 million, exposing deep structural vulnerabilities in the decentralized finance (DeFi) ecosystem. The attack centered on the rsETH token, a yield-bearing version of ether, and the infrastructure used to transfer assets across blockchains. The breach occurred via a LayerZero bridge component that relied on a 'single-signer' setup. This configuration allowed the attacker to bypass standard verification and mint massive quantities of rsETH without the required underlying collateral. Industry experts note that trusting a single party for verification created a critical point of failure. Once the unbacked tokens were created, the attacker deposited them into lending markets—primarily Aave—to borrow liquid ETH. This maneuver effectively shifted the loss from a single protocol to the broader lending market, leaving Aave holding worthless collateral while liquid assets were drained. The fallout was immediate, with Aave experiencing a $6 billion decline in total assets as users rushed to withdraw funds. The AAVE token price fell approximately 15% within 24 hours. This event follows a similar $285 million exploit of the Drift protocol, further eroding investor confidence in the $90 billion DeFi sector. Analysts warn that non-isolated lending models, where assets share risk across pools, amplify these risks. The incident underscores the danger of inadequate onboarding configurations for new assets and the potential for cascading failures in an increasingly interconnected financial landscape.